Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp3330377ybe; Sun, 15 Sep 2019 12:50:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqzbI+rK8Rx7JEm8mLBneXhcyg3kjWDnZajGQ6BM9RlAq/LwUlXu+MFbmr36B7Xhb10h02cd X-Received: by 2002:a17:906:3b8a:: with SMTP id u10mr49860519ejf.167.1568577036423; Sun, 15 Sep 2019 12:50:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568577036; cv=none; d=google.com; s=arc-20160816; b=cCBi/MCfpW6SEbVIC0dRcONUQTIfd/ia/IEju32jm5EjPAeRqbAQ/LpzDbey6lCm1W UGWYFVB2tFmeWJ+R6VLIjwF/u59B381hTR2ZZIHrV+7qI79QB6uFcaWBFZrxeqVmd9Ne 5ajC7mMwkf5wee4UxpFsvXOnTaULT0YuWOzCYIsV1vPWo9pnMGsBVgITgBR4fKzTxfw+ jP2BfMkDzmEtZrCqggGqjPNkOCLS9FbOKfCranLG1zGVAJhKh4GwAtnWE3dG7rLJ9MMR P4++0/N3G7O+o0727nmCbWls1AgmnzUWdqD4ixA0AH0Zci4YIcYmtJyomTjg81mv9o2J XtXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:content-transfer-encoding :mime-version:user-agent:message-id:in-reply-to:date:references:cc :to:from; bh=LMkB5gRq8xod6TihYixZOw6G8WdKhyN9Gp4jO4nIAzs=; b=W2kO7JYZkJsCaGZE07LyPGsb3wYsAe24m9OBi4F8kS1MgqyLfHBUPkuZDK9V1/T4Nt kq5+K0sPELY2Y0mapYITdtE9JJva4YwndO6qWm/6iruu2NYun3l2ddNWyrSu9DJEugVa eXxh7u835fPd7aNkyU/xy7C2t1b3CYbDdpWgCRym5h7exnkIp46t9L2DQFdFCFTl2Q9i aRRYy2ofHZSVqa+X6+g+7XBVkbuwPHWM3uzIaAN91aUX72PmgQVTjuE/b0VWvjkx+69Z 2s1IKwIHgLLoaQuy2N1ZB09g5kWvWpMgxrturNax8SeQmehMhEE22uu7K7Bwfy24ovyL PiLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ga7si11625705ejb.260.2019.09.15.12.50.11; Sun, 15 Sep 2019 12:50:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726084AbfIOSSW convert rfc822-to-8bit (ORCPT + 99 others); Sun, 15 Sep 2019 14:18:22 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:39401 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725270AbfIOSSW (ORCPT ); Sun, 15 Sep 2019 14:18:22 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1i9Z6I-00079r-T5; Sun, 15 Sep 2019 12:18:18 -0600 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95] helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1i9Z6H-00011n-Lw; Sun, 15 Sep 2019 12:18:18 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: "Michael Kerrisk \(man-pages\)" Cc: Christian Brauner , linux-man , Containers , lkml , Andy Lutomirski , Jordan Ogas , werner@almesberger.net, Al Viro References: <20190805103630.tu4kytsbi5evfrhi@mikami> <3a96c631-6595-b75e-f6a7-db703bf89bcf@gmail.com> <87r24piwhm.fsf@x220.int.ebiederm.org> <87ftl5donm.fsf@x220.int.ebiederm.org> <20190910111551.scam5payogqqvlri@wittgenstein> <30545c5c-ff4c-8b87-e591-40cc0a631304@gmail.com> <871rwnda47.fsf@x220.int.ebiederm.org> <448138b8-0d0c-5eb3-d5e5-04a26912d3a8@gmail.com> Date: Sun, 15 Sep 2019 13:17:58 -0500 In-Reply-To: <448138b8-0d0c-5eb3-d5e5-04a26912d3a8@gmail.com> (Michael Kerrisk's message of "Sun, 15 Sep 2019 10:12:09 +0200") Message-ID: <87ef0hbezt.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-SPF: eid=1i9Z6H-00011n-Lw;;;mid=<87ef0hbezt.fsf@x220.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1/EkPm9GGkbZrSz8OMQs54EEEIMjCGmbkA= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa06.xmission.com X-Spam-Level: X-Spam-Status: No, score=-0.2 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01, T_TooManySym_02 autolearn=disabled version=3.4.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4957] * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;"Michael Kerrisk \(man-pages\)" X-Spam-Relay-Country: X-Spam-Timing: total 719 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 3.0 (0.4%), b_tie_ro: 2.0 (0.3%), parse: 1.24 (0.2%), extract_message_metadata: 5 (0.8%), get_uri_detail_list: 2.7 (0.4%), tests_pri_-1000: 3.6 (0.5%), tests_pri_-950: 1.30 (0.2%), tests_pri_-900: 1.06 (0.1%), tests_pri_-90: 25 (3.5%), check_bayes: 24 (3.3%), b_tokenize: 9 (1.2%), b_tok_get_all: 8 (1.2%), b_comp_prob: 2.4 (0.3%), b_tok_touch_all: 2.5 (0.4%), b_finish: 0.65 (0.1%), tests_pri_0: 661 (92.0%), check_dkim_signature: 0.58 (0.1%), check_dkim_adsp: 2.3 (0.3%), poll_dns_idle: 0.78 (0.1%), tests_pri_10: 2.2 (0.3%), tests_pri_500: 6 (0.9%), rewrite_mail: 0.00 (0.0%) Subject: Re: pivot_root(".", ".") and the fchdir() dance X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org "Michael Kerrisk (man-pages)" writes: > Hello Eric, > > On 9/11/19 1:06 AM, Eric W. Biederman wrote: >> "Michael Kerrisk (man-pages)" writes: >> >>> Hello Christian, >>> >>>>> All: I plan to add the following text to the manual page: >>>>> >>>>> new_root and put_old may be the same directory. In particular, >>>>> the following sequence allows a pivot-root operation without need‐ >>>>> ing to create and remove a temporary directory: >>>>> >>>>> chdir(new_root); >>>>> pivot_root(".", "."); >>>>> umount2(".", MNT_DETACH); >>>> >>>> Hm, should we mention that MS_PRIVATE or MS_SLAVE is usually needed >>>> before the umount2()? Especially for the container case... I think we >>>> discussed this briefly yesterday in person. >>> Thanks for noticing. That detail (more precisely: not MS_SHARED) is >>> already covered in the numerous other changes that I have pending >>> for this page: >>> >>> The following restrictions apply: >>> ... >>> - The propagation type of new_root and its parent mount must not >>> be MS_SHARED; similarly, if put_old is an existing mount point, >>> its propagation type must not be MS_SHARED. >> >> Ugh. That is close but not quite correct. >> >> A better explanation: >> >> The pivot_root system call will never propagate any changes it makes. >> The pivot_root system call ensures this is safe by verifying that >> none of put_old, the parent of new_root, and parent of the root directory >> have a propagation type of MS_SHARED. > > Thanks for that. However, another question. You text has two changes. > First, I understand why you reword the discussion to indicate the > _purpose_ of the rules. However, you also, AFAICS, list a different set of > of directories that can't be MS_SHARED: > > I said: new_root, the parent of new_root, and put_old > You said: the parent of new_root, and put_old, and parent of the > root directory. > Was I wrong on this detail also? That is how I read the code. The code says: if (IS_MNT_SHARED(old_mnt) || IS_MNT_SHARED(new_mnt->mnt_parent) || IS_MNT_SHARED(root_mnt->mnt_parent)) goto out4; We both agree on put_old and the parent of new_mnt. When I look at the code root_mnt comes from the root directory, not new_mnt. Furthermore those checks fundamentally makes sense as the root directory and new_root that are moving. The directory put_old simply has something moving onto it. >> The concern from our conversation at the container mini-summit was that >> there is a pathology if in your initial mount namespace all of the >> mounts are marked MS_SHARED like systemd does (and is almost necessary >> if you are going to use mount propagation), that if new_root itself >> is MS_SHARED then unmounting the old_root could propagate. >> >> So I believe the desired sequence is: >> >>>>> chdir(new_root); >> +++ mount("", ".", MS_SLAVE | MS_REC, NULL); >>>>> pivot_root(".", "."); >>>>> umount2(".", MNT_DETACH); >> >> The change to new new_root could be either MS_SLAVE or MS_PRIVATE. So >> long as it is not MS_SHARED the mount won't propagate back to the >> parent mount namespace. > > Thanks. I made that change. For what it is worth. The sequence above without the change in mount attributes will fail if it is necessary to change the mount attributes as "." is both put_old as well as new_root. When I initially suggested the change I saw "." was new_root and forgot "." was also put_old. So I thought there was a silent danger without that sequence. Eric